Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (asf.osuosl.org: domain of mgainty@hotmail.com designates
 65.54.174.79 as permitted sender)
Message-ID: <BAY103-DAV763670C98F3425F4CAC4CAE4D0@phx.gbl>
Reply-To: "Martin Gainty" <mgainty@hotmail.com>
From: "Martin Gainty" <mgainty@hotmail.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
References: <20051130194555.11991.qmail@web50004.mail.yahoo.com>
 <057101c5f5e7$35d30700$1a04a8c0@nsrp1.syrres.com>
Subject: Re: Certificate Revocation Lists in Tomcat 5.5
Date: Wed, 30 Nov 2005 22:38:28 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	format=flowed;
	charset="iso-8859-1";
	reply-type=response
Content-Transfer-Encoding: 7bit

The answer here is "definite maybe"
If the certificate issuer does not support Online Certificate Status 
Protocol (OCSP)
Then there is no ability to verify that the certificate is invalid as the 
ability to determine 'revoked status' in itself fails

To this day this is a known bug with CRLs
and one which should force more verifiable security precautions such as 
Kerberos from MIT
or perhaps the use of Public Key Encryption (PKI)

Martin-

----- Original Message ----- 
From: "Kennedy Roberts" <kroberts@syrres.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Wednesday, November 30, 2005 2:49 PM
Subject: Re: Certificate Revocation Lists in Tomcat 5.5


> Martin,
>
> Thanks again for you input.  The reason I ask about "quirks" is because I 
> have seen examples using crlFiles (not the 's') rather than crlFile.  The 
> value for this parameter then used a wildcard to point to all of the files 
> in a certain directory.  Have you seen it used like this?
>
> And just to clarify: once I do have a CRL, if I point to it in this 
> manner, and also have client authentication enabled, I should be barred 
> from accessing the site with a revoked certificate, correct?
>
> Thanks,
>
> Kennedy
>
>
> ----- Original Message ----- 
> From: "Martin Dubuc" <martind1111@yahoo.com>
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Sent: Wednesday, November 30, 2005 2:45 PM
> Subject: Re: Certificate Revocation Lists in Tomcat 5.5
>
>
>> 1) crlFile is a standard parameter for Connector since
>> Tomcat 5.5.10 if my recollection is right.
>>
>> 2) There are no quirks in using it.
>>
>> Martin
>>
>> --- Kennedy Roberts <kroberts@syrres.com> wrote:
>>
>>> After doing some research, I have found a few
>>> examples of
>>> {tomcat.home}/conf/server.xml files online that use
>>> the "crlFiles" param as
>>> part of a connector.  Is this a standard parameter
>>> that can be used in the
>>> server.xml file?  I ask because the sites where I
>>> have found these examples
>>> are not clear in whether this is some "added"
>>> functionality.  The reason I
>>> don't try it out myself is because at this point I
>>> don't have a CRL which
>>> contains any of the certificates we use in our
>>> development environment.
>>>
>>> To summarize:
>>>
>>> 1)  Is the crlFiles param a standard <connector>
>>> element?
>>>
>>> 2) Has (does) anyone use this param, and are there
>>> any quirks to using it.
>>>
>>> Thanks,
>>>
>>> Kennedy
>>>
>>>
>>> ----- Original Message ----- 
>>> From: "Martin Dubuc" <martind1111@yahoo.com>
>>> To: "Tomcat Users List" <users@tomcat.apache.org>
>>> Sent: Tuesday, November 29, 2005 3:11 PM
>>> Subject: RE: Certificate Revocation Lists in Tomcat
>>> 5.5
>>>
>>>
>>> > CRL support is present in Tomcat 5.5.12.
>>> >
>>> > I am not an expert on Tomcat CRL support but what
>>> I
>>> > know is the following:
>>> >
>>> > - You will need to recompile some of the
>>> > tomcat-util.jar classes with JDK 1.5 because
>>> Tomcat
>>> > 5.5.12 was compiled with JDK 1.4. The classes to
>>> be
>>> > recompiled are:
>>> > org.apache.tomcat.util.net.jsse.JSSE15Factory and
>>> >
>>> org.apache.tomcat.util.net.jsse.JSSE15SocketFactory
>>> > classes.
>>> > - The crlFile property needs to be added inside
>>> your
>>> > SSL Connector in the server.xml file. The value is
>>> the
>>> > location of the CRL file on your system.
>>> >
>>> > Regards,
>>> >
>>> > Martin
>>> >
>>> > --- "Duan, Nick" <NDuan@mcdonaldbradley.com>
>>> wrote:
>>> >
>>> >> Tomcat currently doesn't support cert validation
>>> >> against CRL.  You may
>>> >> want to use Apache's mod_ssl to do the CRL
>>> checking.
>>> >>  You will have to
>>> >> use mod_jk to connect Apache web server with
>>> tomcat.
>>> >>
>>> >> SSL is very computational intensive.  Use
>>> Apache's
>>> >> httpd to do the SSL
>>> >> work is more efficient than to use Java-based
>>> >> tomcat.
>>> >>
>>> >> ND
>>> >>
>>> >> -----Original Message-----
>>> >> From: Kennedy Roberts
>>> [mailto:kroberts@syrres.com]
>>> >> Sent: Tuesday, November 29, 2005 10:55 AM
>>> >> To: users@tomcat.apache.org
>>> >> Subject: Certificate Revocation Lists in Tomcat
>>> 5.5
>>> >>
>>> >> Hi all,
>>> >>
>>> >>     We've recently migrated our (SSL enabled) web
>>> >> application from
>>> >> SunOne to
>>> >> Tomcat 5.5, and I can't find any information on
>>> >> handling Certificate
>>> >> Revocation Lists in Tomcat.  In SunOne, there was
>>> a
>>> >> function in the
>>> >> administration console that let you import a CRL.
>>> >> Is there any
>>> >> equivalent
>>> >> in Tomcat, or perhaps some other command line
>>> >> equivalent?
>>> >>
>>> >> Thanks for your help.
>>> >>
>>> >> -Kennedy
>>> >>
>>> >>
>>> >>
>>> >
>>>
>> ---------------------------------------------------------------------
>>> >> To unsubscribe, e-mail:
>>> >> users-unsubscribe@tomcat.apache.org
>>> >> For additional commands, e-mail:
>>> >> users-help@tomcat.apache.org
>>> >>
>>> >>
>>> >>
>>> >
>>>
>> ---------------------------------------------------------------------
>>> >> To unsubscribe, e-mail:
>>> >> users-unsubscribe@tomcat.apache.org
>>> >> For additional commands, e-mail:
>>> >> users-help@tomcat.apache.org
>>> >>
>>> >>
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > __________________________________
>>> > Yahoo! Mail - PC Magazine Editors' Choice 2005
>>> > http://mail.yahoo.com
>>> >
>>> >
>>>
>> ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail:
>>> users-unsubscribe@tomcat.apache.org
>>> > For additional commands, e-mail:
>>> users-help@tomcat.apache.org
>>> >
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>>> users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail:
>>> users-help@tomcat.apache.org
>>>
>>>
>>
>>
>>
>>
>>
>> __________________________________
>> Yahoo! Mail - PC Magazine Editors' Choice 2005
>> http://mail.yahoo.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org